sad/firehol
1
0
Fork 0
mirror of https://github.com/firehol/firehol.git synced 2024-06-30 19:02:21 +00:00
Code Issues Packages Projects Releases Wiki Activity
794 Commits 5 Branches 37 Tags 5.2 MiB
07fde44784
Commit Graph

93 Commits

Author SHA1 Message Date
Costa Tsaousis (ktsaou)
07fde44784 fix for EXPLAIN mode 2015-01-18 21:38:38 +02:00
Costa Tsaousis (ktsaou)
64003397ba fixed recursion at exit 2015-01-17 18:26:35 +02:00
Costa Tsaousis (ktsaou)
dad17607a0 firehol may not restore a IPv6 firewall at exit, if it was running only in IPv6 mode; made it properly handle Control-C by trapping INT 2015-01-17 17:41:52 +02:00
Costa Tsaousis (ktsaou)
dc65bd4b97 fix for issue #43 2015-01-10 21:50:20 +02:00
Costa Tsaousis (ktsaou)
8e6af3ae24 system-wide defaults file /etc/firehol/firehol-defaults.conf; added option to make start behave like restore if the config files are not changed; restoration of last firewall now takes into account all files in /etc/firehol and /etc/firehol/services and also the command line arguments that may have been passed to firehol.conf; stop does not save the running firewall anymore (it could lead to an endless loop of activating the wrong firewall again and again); added option "nofast" to command line args to quickly try to activate a firewall without fast activation; fast activation is now enabled by default; silent drop of orphan TCP ACK,FIN is enabled by default; various other minor fixes 2015-01-06 19:53:45 +02:00
Costa Tsaousis (ktsaou)
7417f01bcc Merge branch 'master' of github.com:ktsaou/firehol 2015-01-04 02:25:18 +02:00
box@home root
dfdc5819cc accounting warning moved on first use of an accounting rule. 2015-01-04 02:24:42 +02:00
Phil Whineray
98855eaa30 Fix chain-exists logic in: with recent/knock/limit 
Typo from switching to an associative array. We need to create
the chain first time through, when the value is empty.
 2015-01-03 13:44:27 +00:00
Costa Tsaousis (ktsaou)
c9ed9c746f added support for accounting using NFACCT, to use it just add 'accounting [name]' to any statement (even interfaces, NAT, server, client, etc), where [name] is a name to be given to the accounting object, then when the firewall is running use '/usr/sbin/nfacct list' to get the counters; converted unique chain management from files to associative bash arrays; added 'local' to a large number of rules that where missing; fixed error handling of the restore feature; made 'debug' mode aware of the ipv4 and ipv6 2015-01-03 07:45:19 +02:00
Costa Tsaousis (ktsaou)
5451641021 better support for restoring postprocessed commands - any kind of command, not just kernel modules 2014-12-30 20:42:58 +02:00
Costa Tsaousis (ktsaou)
b10a8622cb Now it always saves the activated firewall to /var/spool/firehol and can quickly restore it at boot with the restore argument. Also, when calling stop is saves the firewall again, with their packet and bytes counters, so that when restored it continues where it left. So at boot it should be called with "restore" and at shutdown it should be called with "stop" 2014-12-19 23:46:53 +02:00
Costa Tsaousis (ktsaou)
a4dba2b212 fixed physin/physout to specify new iptables options --physdev-is-bridged in routers, --physdev-is-in at the input of interfaces, --physdev-is-out at the output of interfaces 2014-11-19 01:50:47 +02:00
Phil Whineray
521e8c142d Delete activation rules by spec not number 
Fixes #41

The assumption that the rules added to allow established connections
during activation will always be first is wrong for configs with
iptables -I statements.
 2014-11-06 22:36:08 +00:00
Phil Whineray
09748049ee Prevent all IPv6 actions after initial disable 2014-10-18 08:15:47 +01:00
Phil Whineray
ca07e978f8 Detect non-IPv6 hosts 2014-10-18 08:04:12 +01:00
Phil Whineray
6dd351f5cc Fix "accept with limit" 
Chain names were created too long and only the first of IPv4 or IPv6
 2014-10-15 17:11:03 +01:00
Phil Whineray
a6a5e55c41 Create functional helpme output 
Includes pointers to the IPv6 upgrade documentation

Fixes issue #35
 2014-10-04 13:38:34 +01:00
Phil Whineray
5fecbb9591 Remove redundant firehol_wget and wget_cmd helpers 
They were used by ecn_shame only, which was removed some time back since
the list is no longer available.

Thanks to Jerome Benoit
 2014-10-04 10:54:32 +01:00
Phil Whineray
1f0db36baf Use mktemp for temporary directories during RPC 
Slightly safer than random numbers because it can never conflict

Thanks to Jerome Benoit
 2014-10-04 10:45:45 +01:00
Phil Whineray
da7b96e7ab Don't delete and recreate the temporary directory 
mktemp already ensured it was unique as part of creating it

Thanks to Jerome Benoit
 2014-10-04 10:45:45 +01:00
Phil Whineray
87f8827e75 Treat mktemp like other required commands 
Add it to configure script and use the which_cmd to detect at runtime.

Thanks to Jerome Benoit
 2014-10-04 10:45:45 +01:00
Phil Whineray
8b8e5c9761 Silence module detection warning when not loading 
The warning says that we will always load the modules, even though we
will honour the variable which says never to do so.

Thanks to Jerome Benoit
 2014-10-04 10:45:45 +01:00
Phil Whineray
e14e118532 Update copyright strings 
Thanks to Jerome Benoit
 2014-10-04 10:45:45 +01:00
Phil Whineray
e8c70871c5 Do not fix source ports for DHCPv6 
Some servers do not use them, and the RFC allows this.

http://lists.firehol.org/pipermail/firehol-support/2014-July/002824.html
http://www.ietf.org/rfc/rfc3315.txt
 2014-07-27 12:07:59 +01:00
Phil Whineray
edd7dace10 Explain that ICMPv6 ND/RD packets are untracked 2014-07-27 11:25:02 +01:00
Phil Whineray
f741b4b422 Ensure dst4 and dst6 work in interface 
src4 and src6 are already OK
 2014-06-07 17:26:31 +01:00
Costa Tsaousis (ktsaou)
e323bd501f reworked tproxy parameters parsing for issue #25 2014-03-25 23:42:13 +02:00
Costa Tsaousis (ktsaou)
ef153a80d0 tproxy support. beta. may not work. fixed issue #25 2014-03-25 23:13:20 +02:00
Costa Tsaousis (ktsaou)
c732df28a6 added warning if MARK and CONNMARK are used together, for issue #23 2014-03-14 01:31:44 +02:00
Costa Tsaousis (ktsaou)
46955f9eb4 added support for failed lines detection for issue #22, improved connmark for issue #23 2014-03-14 01:13:28 +02:00
Costa Tsaousis (ktsaou)
83a084e9c1 another connmark fix for issue #23 2014-03-13 03:08:34 +02:00
Costa Tsaousis (ktsaou)
e51a46a140 another connmark fix for issue #23 2014-03-13 02:35:12 +02:00
Costa Tsaousis (ktsaou)
54cfeaeaae connmark fix for issue #23 2014-03-13 01:46:50 +02:00
Costa Tsaousis (ktsaou)
fe40dbc5bc fixes issues #22 and #23 2014-03-13 00:20:00 +02:00
Phil Whineray
750da174ca Fix IPv4-only save/restore and fastactivation 
These were still trying to run, despite the commands not being available
 2014-02-22 11:54:39 +00:00
Phil Whineray
40fde76a78 Fix firehol save 
Was trying to save to temporary location, not the specified one.
Error introduced in df50d6cb29b9a716a40d99918de46cb0e899e42a.
 2014-02-22 08:44:26 +00:00
Phil Whineray
95b3e66836 Use IPv4 only unless config version is set as 6 2014-02-09 18:11:39 +00:00
Phil Whineray
bb19f5500a Fix line numbering for new commands 2014-02-03 22:58:10 +00:00
Phil Whineray
097ae80b91 Apply ipv4/ipv6 to whole group 2014-02-03 22:56:56 +00:00
Phil Whineray
43c27203eb Add helpers for interface and router 
interface4, interface6, interface46
router4, router6, router46
 2013-12-01 19:57:57 +00:00
Phil Whineray
6a25798e2b Added DHCPv6 service 2013-12-01 17:56:34 +00:00
Phil Whineray
90f158887c Update line-numbering to work with any awk 2013-12-01 17:16:41 +00:00
Phil Whineray
25d693dc86 Enable fast activation for IPv6 2013-12-01 14:59:44 +00:00
Phil Whineray
35c2a0443a Finalise setup of internal IP variables 
We IPv4 we look for for files named:
  MULTICAST_IPV4 but will use MULTICAST_IPS if it is all their is
  PRIVATE_IPV4 but will use PRIVATE_IPS if it is all their is
  RESERVED_IPV4 but will use RESERVED_IPS if it is all their is

For IPv6 we look for files named:
  MULTICAST_IPV6
  RESERVED_IPV6
  PRIVATE_IPV6

Within a configuration the variables can be used as:
  router src4 not "$PRIVATE_IPV4" src6 not "$PRIVATE_IPV6"

or using the equivalent 'special variable' which expands according to need:
  router src not "$PRIVATE_IPS"
 2013-11-24 11:09:46 +00:00
Phil Whineray
a7a42b33a9 Do not lose negative src/dst when in both mode 2013-11-23 10:44:16 +00:00
Phil Whineray
8386193c90 Force ping rules to use correct versions of icmp 2013-11-23 09:58:19 +00:00
Phil Whineray
d69b02df24 Evaluate ip lists at time of extraction 2013-11-23 09:00:59 +00:00
Phil Whineray
44bcff7577 Allow multiple functions to be used at once 2013-11-23 09:00:59 +00:00
Phil Whineray
d65d0dd256 Allow IPv4 and IPv6 in one src/dst using functions 
The same function will be evaluated in both ipv4 and ipv6 context. It
should be defined to return appropriate values at the appropriate time.
 2013-11-23 09:00:58 +00:00
Phil Whineray
c259ad8e7c Work with only IPv4 or IPv6 where necessary 
Disables the other if the commands are not available or do now work.
 2013-11-23 08:48:37 +00:00